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Abstract. The advance of web services technologies promises to have 
far-reaching effects on the Internet and enterprise networks allowing for 
greater accessibility of data. The security challenges presented by the 
web services approach are formidable. In particular, access control so- 
lutions should be revised to address new challenges, such as the need 
of using certificates for the identification of users and their attributes, 
human intervention in the creation or selection of the certificates, and 
(chains of) certificates for trust management. With all these features, it 
is not surprising that analyzing policies to guarantee that a sensitive re- 
source can be accessed only by authorized users becomes very difficult. In 
this paper, we present an automated technique to analyze scenario-based 
specifications of access control policies in open and distributed systems. 
We illustrate our ideas on a case study arising in the e-government area. 



1 Introduction 

Access control aims at protecting data and resources against unauthorized dis- 
closure and modifications while ensuring access to authorized users. An access 
control request consists of a subject asking to perform a certain action on an 
object of a system. A set of policies allows the system to decide whether access 
is granted or denied by evaluating some conditions on the attributes of the sub- 
ject, the object, and the environment of the system (such as the identity, role, 
location, or time). For centralized systems, identifying subjects, objects, and the 
values of the attributes is easy since both subjects and objects can be adequately 
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classified by identifiers that are assigned by the system itself. For open and dis- 
tributed systems such as those based on web technology, the situation is more 
complex as web servers receive and process requests from remote parties that are 
difficult to identify and to bind with their attribute values. Hence, certificates 
or credentials, attesting not only the identity but also the attributes of parties, 
must be exchanged to correctly evaluate access control queries. In many situa- 
tions, the creation and exchange of certificates require human intervention, e.g., 
to issue and sign a certificate or to pick one in a portfolio of available credentials. 
Furthermore — as observed in [18] among others — in distributed systems, a cer- 
tificate can be accepted or rejected depending on the trust relation between the 
receiver and its issuer. Additional flexibility can be gained by chains of creden- 
tials and trust. In this context, guaranteeing that only trusted users can access 
sensitive resources becomes a daunting task. 

1.1 Main Contributions 

In this paper, we propose a technique for the automated analysis of access con- 
trol systems (ACS) in presence of human activities for the creation and exchange 
of certificates together with trust management. Our approach combines a logic- 
based language with model checking based on Satisfiability Modulo Theories 
(SMT) solving. More precisely, we follow [17] and use Constraint Logic Pro- 
gramming (CLP) for the specification of policies and trust management with 
ideas adapted from [14]. The exchange of certificates and their interplay with 
the set of policies is modeled as a transition system of the type proposed in [19]. 
We show that interesting analysis problems of ACSs can be reduced to reacha- 
bility problems. Our main contribution is a decidability result for the (bounded) 
reachability problem of a sub-class of transition systems that can encode the 
analysis of scenario-based specifications of ACSs, i.e. situations in which the 
exchange of certificates is constrained by a given causality relation. Another 
contribution is a technique to reduce the number of possible interleavings while 
visiting reachable states. 

1.2 A Motivating Example: the Car Registration Office 

We consider a simplified version of the Car Registration Office (CRO) application 
in [4] . It consists of a citizen wishing to register his new car via an on-line service 
provided by the CRO. An employee of the CRO, Ed, checks if the request can 
be accepted according to some criteria. If so, Ed must store the request in a 
central repository CRep, which, in turn, checks if Ed is entitled to do so. To 
be successful, the storage request must be supported by three certificates: ise 
saying that Ed is an employee of the CRO, ish saying that Helen is the head 
of the CRO and cans saying that Helen granted Ed the permission to store 
documents in CRep. Roles certificates must be signed by a trusted Certification 
Authority (CA) while Ed's permission certificate is signed by Helen; if these were 
not the case, the certificates should be rejected because the principal that signed 
the properties is untrusted. The generation of certificates (depicted in Fig. 1) is 
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a non-mechanizable activity whose execution depends on decisions that are not 
modeled in the system but only on the human behavior. Another issue is how 
the certificates are sent to CRep in order to support Ed's storage request. It can 
be Ed to send the certificates along with the request (user-pull) or it can be CRep 
to collect the necessary certificates upon reception of Ed's request (server-pull). 

Organization of the paper 

In Section 2, we give an overview of the main features of our approach, which 
we then detail in Section 3 where we formalize a class of access control schemas. 
In Sections 4 and 5, we present our main contributions: an automated analysis 
technique of scenario-based specifications and a heuristics for its scalability. In 
Section 6, we conclude and discuss related work. Formal preliminaries, a complete 
derivation of the CRO main query and an implementation of the scenario by 
using DKAL language, can be found in the appendix Section 7. 

2 Overview of the Main Features of our Approach 

Our goal is to automatically analyze situations in which (a) certificates are cre- 
ated or exchanged because of human intervention, (b) there is a need to reason 
about chains of credentials to establish the validity of a certificate, and (c) mes- 
sage exchanges comply with a causality relation. 

2.1 Certificates and non- mechanizable activities 

Inspired by [17, 14], we use a variant of Constraint Logic Programming (CLP) to 
abstractly represent certificates as well as to specify and reason about the trust 
relationships among principals and the restrictions on delegating the ability to 
issue certificates. 

Example 1. For the CRO scenario, the three certificates depicted in Fig. 1 can 
be expressed as the following CLP facts: 

(Fl) uknows(CA, a2i(Ed, ise)) 
(F2) uknows(CA, a2i(Helen, ish)) 
(FS) uknows(Helen, a2i(Ed, cans)), 
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where u knows represents the knowledge of a principal resulting from non- mechanizable 
activities only, called internal knowledge, and a2i is a constructor for the piece 
of knowledge about the binding of a property (e.g., being an employee, ise) with 
a principal (e.g., Ed). □ 

2.2 Exchange of certificates among principals 

Distributed access control is based on exchanging certificates among principals 
so that access decisions can be taken by one principal with all the necessary in- 
formation. So, we need to specify the actions that change the state of the system, 
that is the content of the network and the internal knowledge of the principals 
involved. To this end, we use the notion of transition system introduced in [19] 
for access control systems as follows. The network of messages is modeled by a 
ternary predicate msg with three arguments: the sender, the payload, and the 
receiver of the message. The action of p sending a message with payload x to q 
can be written as a transition 

knows(p, x) => © msg (p, said (x), q) (1) 

where knows represents the knowledge of a principal, both internal and acquired 
from the reception of messages from other principals, and said transforms a piece 
of knowledge into an assertion that can be communicated to other principals. 
The fact that internal knowledge is knowledge can be expressed by the CLP rule 

knows(p, x) <— uknows(p, x) (2) 

and the action of q receiving a message from p with s as payload is written as 

knows(<?, s2i(p, s)) <- msg(p, s, q) (3) 

where s2i is a constructor for the piece of knowledge about the binding of the 
utterance s with a principal p. 

Example 2. For example, the action of CA sending the certificate that Ed is an 
employee to Ed himself can be formalized as an instance of (1), the reception of 
such a certificate by Ed as an instance of (3), and the derivation that Ed knows 
that CA has uttered (and signed) the property about Ed being an employee — 
formally, knows(Ed, s2i(CA, said(a2i(Ed, ise)))) — as an application of fact (Fl) and 
rule (2). Notice that Ed cannot claim to know that he is an employee since he 
does not know whether CA is trusted on emitting this type of utterances. For 
this, suitable trust relationships should be specified. □ 

2.3 Trust relationships among principals 

We use again CLP rules. One rule is generic while the others are application 
dependent. The generic rule is 

knows(p, x) <— knows(p, s2i(g, said (a;))) A knows(p, a2i(g, tdOn(x))) (4) 
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saying that a principal p may expand its knowledge to include the piece of infor- 
mation x as soon as another principal q has uttered said(x) and q is trusted on the 
same piece of knowledge x (the last part is encoded by the term a2i(g, tdOn(x))). 

Example 3. In the case of the CRO, we need also to consider the following four 
specific CLP rules, that encode the trust relationships among the various prin- 
cipals: 

(PI) knows(CRep, a2i(p, cans)) <— knows(CRep, a2i(g, ish)) A 

knows(CRep, a2i(p, ise)) A knows(CRep, s2i(g, said(a2i(p, cans)))) 
(P2) knows(p,a2i(CA,tdOn(x))) 
(PS) knows(p, a2i(g, tdOn(s2i(CA, said(x))))) 

(P4) knows(p,a2i((7,tdOn(s2i(r,said(a2i((7,cans)))))) <- knows(p, a2i(r, ish)), 

(PI) says that a principal p can store documents in the CRep if he is an 
employee of the CRO and his head permits it, (P2) says that the content of 
any utterance of the CA is trusted, (P3) says that an utterance of a principal 
repeating an utterance of the CA is trusted, and finally (P4) says that the head 
of the CRO is trusted when emitting an utterance granting permission to store 
documents in the CRep to a principal. □ 

2.4 Automated analysis of scenarios 

The formal framework sketched above allows us to develop automated analysis 
techniques to verify the availability (policies suitable for scenario's execution) 
or the security (critical operations performed by trusted principals) of typical 
scenarios in which an ACS should operate. Availability implies that the policies 
are not too restrictive to prevent the scenario to be executable while security 
means that only trusted principals are granted access to sensitive resources or 
perform sensitive operations. Both problems can be reduced to check whether, 
after performing a sequence of non-mechanizable activities and exchanging mes- 
sages among principals, it is possible to reach a configuration of the network 
in which an access control query (e.g., in the CRO, "Can Ed store the citizen's 
request in CRep?") gets a positive or a negative answer. 

In other words, we want to solve problems as stated by the following defini- 
tion: 

Definition 1 (Reachability problems). Given the following conditions: 

— let the network be initially empty (formally, msg is interpreted as an empty 
relation), 

— Hq be a set of facts derived from non-mechanizable activities (e.g., (Fl), 
(F2) and (F3) described in Example 1), 

— and G be a conjunction of knows-facts describing an access control query 
(e.g., knows(CRep, a2i(Ed, cans)) for the CRO example) 
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we aim to check if does there exist a sequence of n instances of the transition 
rule (1) and a sequence Hi, ...,H n of knows -facts derived from non-mechanizable 
activities, such that G is satisfied in the final state? 

To practically answer this question, initially we need to compute the fix-point 
of the facts in Hq with the CLP rules (2), (3), (4) and those formalizing specific 
trust relations. This process must be repeated at each step i = 1, ...,n with the 
facts describing the content of the network (derived by applying (3) at step i — 1), 
those in the set H^ and the CLP rules. Since more than one transition (1) can 
be enabled at any given step z, it is necessary, in general, to consider several 
possible execution paths. 

Not surprisingly, the reachability problem turns out to be quite difficult. 
Fortunately, in scenarios with constrained message exchanging (e.g., the user-pull 
or the server-pull configurations considered for the CRO above), the reachability 
problem becomes simpler. It is possible to fix a bound n of transitions to consider 
and apply a reduction technique to decrease the number of different execution 
paths to be explored as we will see in Sections 4 and 5. 

3 A Class of Access Control Schemas 

According to [19], we report, in the following, the definition of access control 
schema (in short ACS). 

Definition 2 (Access Contro Schema). An ACS is a transition system 

where S is a set of states, Q is a set of queries, \P is a set of state- change rules, 
and h C S x Q is the relation establishing if a query q G Q is satisfied in a given 
state 7 G S 7 written as 7 h q. 

For s, s' G S and ip G ^, we write s — >^ s' when the change from s to s' is 
allowed by ip. The reflexive and transitive closure of — ^ is denoted by — 

Given an ACS (S, Q, h, IF), an instance (s,q,ip) of the reachability problem 
(see Definition 1) (where s G 5, q G Q, and -0 G \P) consists of asking whether 
there exists an s f G S such that s — ^ s f and s f h q. 

3.1 The substrate theory T s 

We define a class of ACSs by using formulae of (many- sorted) first-order logic [12] 
to represent states and transitions. To do this formally, we need to introduce a 
substrate theory Ts, i.e., a set of formulae that abstractly specifies the basic data- 
structures and operations relevant for both access control and trust management. 
The theory contains a (countably) infinite set of constants of sort Principal to 
identify users, suitable operations to build Attribute values, and the functions 
a2i : Principal x Attribute — )> Infon, s2i : Principal x Speech — )> Infon, said : 
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Infon — >> Speech, tdOn : Infon — >> Attribute, that have been already informally 
described in Section 2. 

Moreover the substrate theory Ts contains the predicate symbol prim : Attribute 
that intuitively characterizes the set of "primitive" attributes, i.e., those already 
in the substrate that are not created by the "function" tdOn (e.g., ise, ish,cans 
for the CRO example). So, it is necessary to add to the substrate theory the 
following axiom 

Vx, a. tdOn(x) = a ->prim(a) 

where x is a variable of sort Infon and a is a variable of sort Attribute. 1 Another 
important aspect we want to remark is that, even if in this paper we assume, 
for the sake of simplicity, the standard situation (see, e.g., [20]) where insecure 
communication channels between each pair of principals are always available, 
it is easy to extend the substrate theory by adding axioms to characterize the 
"topology" of the system. 

We recall that the theory Ts identifies a class of structures that are models 
of all formulae in Ts and say that a formula ip is satisfiable modulo Ts iff there 
exists a model of Ts that makes (p true. 

3.2 The set S of states 

We consider the two predicate symbols u knows : Principal x Infon and msg : 
Principal x Speech x Principal already introduced in Section 2. We assume the 
availability of a finite set Po of CLP rules, also called policies, of the form 

A (x) <- y) A • • • A A n (x, y) A £(x, y), (5) 

where x and y are tuples of variables, Aq is knows, A{ G {knows, u knows} for 
i = l,...,n, and £ is a quantifier- free formula of the substrate theory T$. We 
assume Po to always contain (2), (3), and (4). Given a set F of constrained 
ground facts and the set Po of policies, the set S of states contains all the 
constrained ground facts obtained by computing the least-fixpoint lfp(F U Po) 
of the ground immediate consequence operator on F U Po (see, e.g., [17]). 

3.3 The set Q of queries and the satisfaction relation h 

A query is a conjunction of ground facts of the form uknows(p, x) <— x). We 
define h to be the standard consequence relation |= of first-order logic [12]. 

1 Indeed, the models of the theory considered here are a super-class of those consid- 
ered in [14]. Here, we trade precision for the possibility of designing an automated 
procedure for discharging a certain class of proof obligations that encode interest- 
ing security analysis problems for the class of access control schemas that we are 
defining. 
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3.4 The set \P of state-change rules 

A state- change rule is a formula of the form 

3p,x,q. knows(p, x) AVy,z,w. msg f (y, z, w) O 

msg(y,z,w) V (y = p A z = said(.x) A w = q) (6) 

that is usually abbreviated as (1). Intuitively, the unprimed and primed versions 
of msg denote the state of the network immediately before and after, respectively, 
of the execution of the state-change rule. Let Si and 62 be two states in S and 
ip be a formula of the form (6), then Si — S2 iff 

S 2 := {msg(2/, z,w) <— (y — p A z = said(x) A w = q)a | SiU{knows(p, x)a} is 
satisfiable modulo Ts for a ground substitution of p, x, q} . 

When S2 ^ 0, the state-change rule is enabled in Si] otherwise (i.e., S2 = 0) 
it is disabled in S±. This concludes the definition of our class of access control 
schema. 

3.5 Reachability problems 

In the class of ACSs defined above, policies rely on conditions that are deter- 
mined by the exchange of messages (cf. predicate msg and the CLP rule (3)) and 
non- mechanizable activities (cf. predicate u knows and the CLP rule (2)). The 
state-change rules in ^ can only modify msg and leave u knows unconstrained 
since it is very difficult to model how humans decide to create a certain cer- 
tificate. Returning to the CRO scenario, consider the assertion of fact (F3) as 
an example of a certificate that can be created at any time of the execution 
sequence of the system. To emphasize this aspect, we explicitly define the notion 
of (instance of) the reachability problem, although technically it can be derived 
from that of reachability problem given at the beginning of this section. 

Definition 3 (Instance of the reachability problem). Given a set Po of 

policies and a query G, an instance of the reachability problem amounts to 
establishing whether there exist an integer n > and constraint (ground) facts 
i^o(uknowso), i^ n _i(uknows n _i) such that 

1Z n U {G(knows n )} is satisfiable modulo Ts , (7) 

whereKo := ^({# (uknowso)}UPo(knows )) ; TU -ty Ri+i, U i+1 := lfp{R i+1 \J 
{i^i + i(uknowSi + i)} U Po(knowSi + i)) ; msg i; uknows^ and knows^ denote uniquely 
renamed copies of msg, uknows, and knows, respectively, and a(si) is the formula 
obtained from a by replacing each occurrence of the symbol s with the renamed 
copy Si (for i = 0, n + 1). 

Intuitively, 1Zq is the initial knowledge of the principals computed from their 
internal knowledge and the (exhaustive) application of the policies without any 
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exchange of messages (recall that, initially, we assume that the network con- 
tains no messages). Then, 7Z\ is obtained from IZq by first applying one of the 
available state-change rule followed by the exhaustive application of the 

policies that allows each principal to possibly derive new knowledge from both 
the exchanged messages and their internal knowledge. The TZ^s for i > 2 can be 
similarly characterized. 

When there exists a value of n such that (7) holds, we say that G is reachable] 
otherwise (i.e., when, for every n > 0, we have that (7) does not hold) we say that 
G is unreachable. If a bound n on n is known, we talk of a bounded reachability 
problem (with bound n). Since the reachability problem is undecidable even 
without considering non-mechanizable facts (see [5] for details) in the rest of the 
paper, we prefer to focus on identifying restricted instances of the (bounded) 
reachability problem that are useful in practice and can be automatically solved. 

4 Automated Analysis of Scenario-based Specifications 

Web service technology supports the development of distributed systems using 
services built by independent parties. Consequently, service composition and co- 
ordination become an important part of the web service architecture. Usually, 
individual specifications of web services are complemented by scenario-based 
specifications so that not only the intentions of individual services but also their 
expected interaction sequences can be documented. Interestingly, as we will show 
below, scenario-based specifications can be exploited to automatically and effi- 
ciently analyze security properties despite the well-known fact that unforeseen 
interplays among individually secure services may open security holes in their 
composition. The idea is to associate a scenario with an instance of a bounded 
reachability problem and then consider only the sequences of state-change rules 
that are compatible with the scenario itself. 

4.1 Scenarios and bounded reachability problem 

In our framework, a scenario is composed of a finite set of principals, some 
sequences of state-change rules of finite length, and a query G that encodes an 
availability or a security property. Since a state-change rule (1) to be enabled 
requires a principal to have some internal knowledge, this component of the 
scenario implicitly identifies a sequence i^o(uknowso), i^ n _i(uknows n _i) of 
non-mechanizable facts where n > is the length of the longest sequence of 
state-change rules. 

Example 4- An example of informal specification of a scenario is the Message 
Sequence Chart (MSC) for the CRO depicted on the left of Fig. 2 where the m^'s 
are the messages containing the utterances in the table on the right of the same 
figure. It is easy to find the instance of (1) that allows one to send each message 
rrii. The solid lines in the MSC impose an ordering on messages while dashed lines 
(called co-regions, see, e.g., [25]) do not. So, for example, CA can send the two 
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CRep Ed CA Helen 

T 17m, \ 
^ i 



m± 


said(a2i(Ed, ise)) 


7712 


said(a2i(Helen, ish)) 


m 3 


said(a2i(Ed, cans)) 


?7l4 


said(s2i(CA, said(a2i(Ed, ise)))) 


m 5 


said(s2i(CA, said(a2i(Helen, ish)))) 


m 6 


said(s2i(Helen, said(a2i(Ed, cans)))) 



Fig. 2: A user-pull scenario for the CRO: Ed sends to CRep the certificates for a 
positive answer to the query G := knows(CRep, a2i(Ed, cans)) 



certificates (in messages mi and ra^) about the roles of Ed and Helen to Ed in any 
order and these two certificates as well as the one sent by Helen about granting 
the permission to store documents in CRep (in message 7713) can be received in 
any order by Ed. For the CRO, the query G := knows(CRep, a2i(Ed, cans)) encodes 
an availability property saying that the trusted user Ed can get the permission of 
storing the document in CRep. Since the length of sequence of state-change rules 
specified by the scenario is 6, we can build an instance of the bounded reachabil- 
ity problem with bound n = 6 and the following sequence of non-mechanizable 
facts: H := uknows(CA, a2i(Ed, ise)), Hi := uknows(CA, a2i(Helen, ish)), H 2 := 
uknows(Helen, a2i(Ed, cans)), and Hi := true for i = 3,4,5. Other sequences 
are compatible with the scenario above, we just picked one. Such sequences are 
finitely many and can be exhaustively enumerated. □ 



4.2 Decidability of a class of instances of the reachability problem 

It would be interesting to find conditions that guarantee the decidability of this 
kind of instances of the bounded reachability problem with a given sequence of 
non- mechanizable facts. Before doing this, we need to discuss the following four 
technical conditions on the substrate theory T$. 

First, the fact that there is a finite and known number of principals in any 
scenario can be formalized by requiring the substrate theory Ts to be such that: 

(CI) T s |= Var. \/ x = c A /\ c x ± c 2 

ceC ciGC,c 2 GC\{ci} 

where C is a finite set of constants of sort Principal. This imposes that there 
are exactly \C\ principals. 

The second condition concerns the form of the policies: (C2) for each CLP 
rule in Po, all the variables in its body but not in its head range over the set 
C of principals. For the fix-point computation required to solve an instance of 
the reachability problem, variables not occurring in the head of a CLP rule 



10 



but only in its body must be eliminated by a suitable (quantifier elimination) 
procedure (see, e.g., [17]). Assuming that such variables range only over the set 
C of principals — cf. condition (CI) — it is possible to replace each one of them 
with the constants in C and take disjunction. 

The third and fourth conditions state respectively that: (C3) Ts must be 
closed under sub-structures (see Section 7.1 in Appendix) and (C4) Ts must be 
locally finite (see Section 7.1 in Appendix). Examples of effectively locally finite 
theories are the theory of an enumerated data-type or the theory of linear orders 
(cf., e.g., [24]) for more details). The last two (more technical) conditions allow us 
to reduce the satisfiability of a formula containing universal quantifiers (namely, 
those in the CLP rules) to the satisfiability of ground formulae by instantiating 
variables with finitely many (representative) terms. This implies the decidability 
of the satisfiability modulo Ts of (7) (in the definition of reachability problem) 
provided that it is decidable to check the satisfiability modulo Ts of ground 
formulae. 

Theorem 1. Let Po be a finite set of policies, G a query, and Ho, . . . , iJ n -i a 
sequence of non-mechanizable facts (n>l). If (CI), (C2), (C3), and (C4) are 
satisfied and the satisfiability modulo Ts of ground formulae is decidable, then 
the instance of the bounded reachability analysis problem (with bound n, sequence 
#o, • • • , H n _i of non-mechanizable facts, and query G) is decidable. 

The proof of this result uses previous work [24] (see Section 7.2 in the Appendix) 
and yields the correctness of the automated analysis technique in Fig. 3. 

This is only a first step towards the design of a usable automated technique. 
In fact, at each iteration of the procedure, the solution of the bounded reach- 
ability problem (at step 1(c)) requires to compute a fix-point and to check the 
satisfiability modulo the substrate theory. Such activities can be computation- 
ally quite expensive and any means of reducing their number is obviously highly 
desirable. 

5 A Reduction Technique 

The main drawback of the procedure in Fig. 3 is step 1 that forces the enumera- 
tion of all sequences in E. Unfortunately, E can be very large, e.g., there are 12 
execution paths of CRO that are compatible with the MSC in Fig. 2. To over- 
come this problem, in the rest of this section, we design a reduction technique 
that allows for the parallel execution of a group of "independent" exchanges of 
messages so that several sequences of E can be considered at the same time in 
one iteration of step 1 in the algorithm of Fig. 3. In this way, the number of fix- 
point computations and satisfiability checks may be significantly reduced. The 
key to this refinement is a compact representation of the set E based on an adap- 
tation of Lamport's happened before relation ^ [16]. There are many possible 
choices to describe E, ranging from MSCs (as done in the previous section) to 
BPEL workflows for web services augmented with access control information [8] . 
We have chosen -w as a starting point because it is at the same time simple and 
general, and simplifies the design of our reduction technique. 
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Input: a substrate theory Ts, a set Po of policies, and a scenario = (a finite 
set C of principals, a set £ of sequences of state-change rules of finite length, 
a query G) 

Output: G is reachable/unreachable 

Assumptions: (CI), (C2), (C3), and (C4) are satisfied 

1. For each sequence a G £: 

(a) Determine the sequence Ho, H\ a \ of non-mechanizable facts that 
enables the corresponding sequence of instances of the state-change 
rule (1). 

(b) Build an instance of the bounded reachability problem with bound 
| <j |, the non- mechanizable facts of the previous step, and the given 
query G. 

(c) Try to solve the instance of the bounded reachability problem built 
at previous step. 

(d) If one of the instances at the previous step turns out to be solvable, 
return that the query G is reachable. 

2. Return that the query G is unreachable (if step 1(d) is never executed). 

Fig. 3: Automated Analysis of Scenario-based Specifications (interleaving seman- 
tics) 



5.1 The Causality Relation 

is a means of ordering a set L of events based on the potential causal rela- 
tionship of pairs of events in a concurrent system. Formally, ^ is a partial order 
on L, i.e., it is irrenexive, (Z Z for Z G L), transitive (if l\ I2 and I2 ~> h 
then li -w l 3 for Zi , Z2? ^3 £ L), and anti-symmetric (if l\ I2 then I2 h for 
h,h G L). 

Two distinct events Zi and I2 are concurrent if Zi Z2 and Z2 h (i.e., they 
cannot causally affects each other). In the usual interleaving semantics, the set 
of possible executions can be seen as the set of all linear orders that extend 
Formally, ^ t is a linear extension of if ^ t is a total order (i.e., a partial order 
that is also total, for every Zi , Z2 £ ^ we have that l\ ^ t h or I2 h) that 
preserves ~> (i.e., for every Zi , Z2 G L, if Zi ~» Z2, then Zi -^t Z2). 

For example, if L = {Zi , Z2}, h and Z2 are concurrent, then both Zi Z2 
and Z2 h are possible linear extensions since l\ and Z2 cannot causally affects 
each other. Enumerating all the elements of the set E{y>) of linear extensions 
of the partial order -w can be done in 0(\E{^)\) constant amortized time [22] 
and computing \E(^)\ (i.e., counting the number of linear extensions of is 
#P-complete [9]. 

In our framework, L is the set of instances of the state-change rule (1) consid- 
ered in a scenario-based specification. Thus, the relation -w must be specialized 
so that the following two constraints must hold: 

(COMP1) the enabledness of concurrent (according to -w) instances of (1) 
must be preserved — i.e., two such instances should not to causally affect 
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each other by enabling (disabling) a disabled (enabled, respectively) state- 
change rule, 

(COMP2) any execution of the concurrent events in a (finite) set L, each of 
which causally affects another event Z not in L, results in a state in which Z 
is enabled. 

These requirements are formalized as follows. 

(COMP1) if l 2 is enabled (disabled) in state S then it is still enabled (disabled, 
respectively) in state S' for S — ^ S' and the same must hold when swapping 
li with l 2 . 

(COMP2) Pre(Z') C L is such that Z ->* V for each I e Pre(V) and there 
is no I" e L\ Pre(l') such that I" Z', then Z' is enabled in S' where 
S ^ H k S f and Pre(Z') = {l u Z fc }. 

(COMP1) implies that the execution of either l\ or l 2 followed by l 2 or Zi, 
respectively, will produce two identical states provided that the two executions 
start from the same initial state. (COMP2) says that once the action of sending 
a message is enabled, it persists to be so; this is related to the fact that of (1) 
can only add messages to msg. Although (COMP2) seems to be restrictive at 
first sight, it is adequate for checking reachability (safety) properties as we do 
in this paper. 

Definition 4 (Causality Relation). A partial order relation on a finite 
set L of instances of (1) that satisfies (COMP1) and (COMP2) is called a 
causality relation. 

The tuple (C, L, G) identifies a scenario (C, Z 1 , G) for C a finite set 
of principals, G a ground query, and E is the set of sequences obtained by 
enumerating all the linear extensions of on L. Since any linear extension of 
-w is of finite length (as ~» is acyclic), we will also call (C, L, -w, G) a scenario. 

We observe that when the state S is given, it is possible to show that both 
(COMP1) and (COMP2) are decidable (the proof is similar to that of Theo- 
rem 1). In practice, it is not difficult to argue that (COMP1) and (COMP2) 
hold for a given scenario. 

Example 5. To illustrate this, we reconsider the scenario informally specified in 
Fig. 2 for the CRO and recast it in the formal framework developed above, as 
shown in Fig. 4. 

There is an obvious correspondence between the entries of the tables in the 
two figures. The message mi is the result of executing SEC, m 2 of SHC, ms of 
SPC, of SEC 2l of SHC 2l and tuq of SPC 2 . There is also a correspon- 
dence between the MSC in Fig. 2 and the causality relation -w in Fig. 4. 

Now, we show that the requirement (COMP1) holds for each pair (h,l 2 ) 
of concurrent rule instances in L as follows. For (SEC) and (SHC), we have 
that if the latter is enabled (disabled) before the execution of the first (SHC), it 
remains enabled (disabled, respectively) after its execution; the vice versa also 
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C := {Ed, Helen, 
CA, CRep} 

L := {SEC, SEC 2 
SHC,SHC 2 ,SPC} 

is the smallest 
partial order s.t.: 

- SEC ^ SEC 2 

- SHC SHC 2 

- SPC SPC 2 



(SEC) 


knows(CA, a2i(Ed, ise)) => 0msg(CA, said(a2i(Ed, ise)), Ed) 


(SHC) 


knows(CA, a2i (Helen, ish)) ^> 

0msg(CA, said(a2i(Helen, ish)), Ed) 


(SPC) 


knows (Helen, a2i(Ed, cans)) 

0msg(Helen, said(a2i(Ed, cans)), Ed) 


(SEC 2 ) 


knows(Ed, s2i(CA, said(a2i(Ed, ise)))) ^> 

0msg(Ed, said(s2i(CA, said(a2i(Ed, ise)))), CRep) 


(SHC 2 ) 


knows(Ed, s2i(CA, said(a2i(Helen, ish)))) 

0msg(Ed, said(s2i(CA, said(a2i(Helen, ish)))), CRep) 


(SPC 2 ) 


knows(Ed, s2i(Helen, said(a2i(Ed, cans)))) ^> 

0msg(Ed, said(s2i(Helen, said(a2i(Ed, cans)))), CRep) 



Fig. 4: Formalization of the CRO scenario in Fig. 2 



holds. Similar observations hold also for the remaining pairs of concurrent events 
in L. 

Then, we show that the requirement (COMP2) holds for the events (SEC) 
and (SEC 2 ) that are such that (SEC) (SEC 2 ). When (SEC) is executed, 
(SEC2) becomes enabled since the fact msg(CA, said(a2i(Ed, ise)), Ed) holds as 
the result of executing (SEC): by the CLP rule (3) it is possible to derive 
knows(Ed, s2i(CA, said(a2i(Ed, ise)))) that is precisely the enabling condition of 
(SEC 2 ). Similar observations hold for (SHC) and (SHC 2 ) as well as (SPC) 
and (SPC 2 ). Intuitively, ~> formalizes the obvious remark that, before Ed can 
forward a certificate to CRep (about his role, Helen's role, or the permission to 
store documents), he must have preliminarily received it regardless of the order 
in which he has received the certificates from CA and Helen. □ 



5.2 A reduction technique based on causality relations. 

So far, we have shown that a causality relation can be exploited to compactly 
specify a scenario. Here, we show how it can be used to dramatically reduce 
the number of fix-point computation and satisfiability checks required by the 
analysis technique in Fig. 3 while preserving its completeness. The key idea is 
the following. 

Since pairs of concurrent rule instances cannot causally affect each other, it 
is possible to execute them in parallel, i.e. adopting a partial order semantics. 
In fact, any linearization of the parallel execution, in the usual interleaving 
semantics, will yield the same final state obtained from the parallel execution. 
This has two advantages. 

First, a single parallel execution of concurrent events correspond to a (possi- 
bly large) set of linear executions. Second, the length of the parallel execution is 
shorter than those of the associated linear executions. The number of fix-point 
computations and satisfiability checks needed to solve a bounded reachability 
problem can be reduced depending on the degree of independence of the rule 
instances in the scenario. The price to pay is a modification of the definition of 
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reachability problem (cf. the end of Section 3) to adopt a partial order semantics. 
We explain in more detail these ideas below. 

Let Po be a (finite) set of policies and (C, L,-^,G) a scenario, where C is a 
finite set of principals, L is a finite set of rule instances of (1), ^ is a causality 
relation, and G a query. 

Definition 5 (Reachability problem with partial-order semantics com- 
patible with the causality relation -w). An instance of this problem amounts 
to establishing whether there exist an integer n > and (ground) constraint facts 
i^o(uknowso), i^ n _i(uknows n _i) s.t 7£ n U{G(knows n )} is satisfiable moduloTs, 
whereTZo := Z/p({i^o(uknowso)}UPo(knowso)), := Z/p(i?i + iU{i^+i(uknowSi + i)}U 

Po(knows i+ i)) ; and IZi — ^ ••• —>i k Ri+i for Zi,...,Z& G L such that any pair 
(Z a , lb) is of concurrent events (a, 6=1, fc and a ^ b). 

Definition 5 is almost identical to to the Definition 3. The main difference 
is in allowing the execution of a sequence Zi, Z& of exchange of messages pro- 
vided that these are pairwise concurrent with respect to the causality relation. 
Intuitively, we cumulate the effect of executing the instances Zi, of (1) in a 
single step so that each principal can derive more knowledge from the exchange 
of several messages than the exchange of just one message as it was the case 
with the definition of reachability problem in Section 3. 

With this new definition of reachability problem, we propose a refinement in 
Fig. 5 of the analysis technique in Fig. 3. The main differences between the two 
techniques are the following. In input, the scenario is given by using the notion 
of causality relation in order to exploit the new definition of reachability problem 
with the partial order semantics. Then, instead of considering all the possible 
linear extensions of (as in Fig. 3), sets of pairwise concurrent events for parallel 
execution are computed by using the causality relation. The idea is to use the 
Hasse diagram CG(^), called the causality graph in the following, associated 
to i.e. the transitive reduction of the relation -w seen as an oriented graph. 
The crucial observation is that concurrent events can be identified by looking at 
those nodes that are not connected by a path in the causality graph. Formally, 
we need the following notion. An element Z is minimal in L with respect to ^ 
iff there is no element V G L such that V ~> Z. Since L is finite, minimal elements 
of must exist (this is a basic property of partial orders over finite sets). In 
step 2, the rule instances labeling the minimal elements in L with respect to 
-w, that correspond to nodes with no incoming edges in the causality graph, 
are the only that require non-mechanizable facts for them to be enabled. In 
fact, all the rule instances labeling non-minimal elements with respect to the 
causality are enabled by the execution of one or more rule instances that label 
ancestor nodes in the causality graph, because of (COMP2). This is why we 
compute Hq in step 3 while all the other sets of non-mechanizable facts are 
vacuosly set to true in step 5. The rule instances in Lp labeling the nodes in 
Po are concurrent because of (COMP1). In step 4, we exploit this observation 
to compute the other set of concurrent rule instances that can be executed in 
parallel by modifying the causality graph: the nodes and the edges whose sources 
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Input: a substrate theory Ts, a set Po of policies, and a scenario (C, L, -w, G) — (a finite 
set C of principals, a finite set L of instances of (1), a causality relation -w, a query G) 
Output: G is reachable/unreachable 

Assumptions : (CI), (C2), (C3), (C4), (COMP1), and (COMP2) are satisfied 

1. Let CG(^) be the causality graph associated to 

2. Compute the set Po of nodes in CG(^) with no incoming edges and Lp be the 
set of rule instances of (1) in L labeling the nodes in Po- 

3. Determine the set Ho of non- mechanizable facts that enables all the rule instances 
in L Pq . 

4. Set j = and while the set of nodes in CG(^) is non-empty do 

(a) Delete from CG(^) all the nodes in Pj and the edges whose sources are in Pj 
and increment j by 1. 

(b) Compute the set Pj of nodes in CG(^) with no incoming edges and Lp. C L 
be the set of rule instances labeling the nodes in Pj . 

5. Build an instance of the bounded reachability problem with partial order semantics 
compatible with the causality relation -w with bound j, sequence Ho, Hi, ...,Hj of 
non-mechanizable facts where Hi \— true for i = 1, j, and the input query G. 
At each step i of the bounded reachability problem, the rule instances in Lp j must 
be used for parallel execution. 

6. If the instance of the bounded reachability problem is solvable, then return that 
the query G is reachable; otherwise, return that G is unreachable. 

Fig. 5: Automated Analysis of Scenario-based Specifications (partial order se- 
mantics) 



are in Pq are deleted from CG(^) so that a the set Pi of nodes with no incoming 
edges can be identified. The rule instances in Lp 1 labeling the nodes in Pi are the 
new concurrent events that can be executed in parallel and so on. The procedure 
eventually terminates when no more nodes are left in the causality graph. Then, 
in step 5, the new definition of bounded reachability problem compatible with 
the causality relation -w can be exploited by using the sets Lp Q , ...,Lp. of rules 
instances to be executed in parallel. If the instance is solvable then the query G 
is reachable, otherwise it is unreachable. The correctness of the refined analysis 
in Fig. 3 stems from the fact that, by definition of causality relation, there exists 
an execution in the interleaving semantics for the concurrent events executed in 
parallel — because of (COMP1) — and the execution of rule instances that must 
happen before (with respect to -w), enable the execution of those that happen 
afterwards — according to (COMP2). 

We briefly illustrate how the refined version of the automated analysis works 
on the scenario in Fig. 2 of the CRO. According to the causality relation in 
Fig. 4, (SEC), (SHC), and (SPC) are minimal elements of (step 2). Thus, 
the non-mechanizable fact Hq enabling their execution is the conjunction of the 
following three facts: uknows(CA, a2i(Ed, ise)), uknows(CA, a2i(Helen, ish)), and 
uknows(Helen, a2i(Ed, cans)). Deleting the nodes labeled by (SEC), (SHC), and 
(SPC) with the corresponding edges in the causality graph leaves us with a 
graph containing three isolated nodes labeled by (SEC2), (SHC2), and (SPC2) 
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that can be executed in parallel. As a consequence, the bound of the reacha- 
bility problem is 2 in which, initially, the parallel execution of (SEC), (SHC), 
and (SPC) is enabled because of the non-mechanizable facts in Hq while the 
parallel execution of (SEC2), (SHC2), and (SPC2) is enabled, in the follow- 
ing step, because of the three new certificates available in the net. Even in this 
simple example, the savings of the reduction technique are important: the two- 
step parallel execution corresponds to 6 interleavings executions that must be 
considered when using the technique in Fig. 3. 

We have implemented a prototype of the procedure above in WSSMT [3] 
that uses the SMT solver Z3 [31] for fix-point computation and SMT solving. 
The time taken to analyze the scenario in Fig. 4 with this prototype is negligible; 
larger examples are discussed in [3]. 

6 Discussion 

We presented an automated technique to analyze scenario-based specifications 
of access control policies in open and distributed systems that takes into ac- 
count human activities. It uses an instance of CLP to express policies and trust 
relationships, and reduces the analysis problem to fix-point computations and 
satisfiability checks. The first contribution is the decidability of the analysis of 
scenario-based specifications of ACSs. The second contribution is a reduction 
technique that allows us to make the decidability result useful in practice. 

There are three main lines of research that are related to our work. First, 
several logic-based frameworks (e.g., [19, 14, 7, 15, 1, 24]) have been proposed to 
specify and analyze authorization policies with conditions depending on the en- 
vironment of the system in which they are enforced. In principle, it is possible 
to consider the conditions depending on the execution of human activities as 
part of the environment and then re-use the available specification and analysis 
techniques. The problem in doing this is that the conditions for the execution 
of human activities are not explicitly modeled in the system so that their appli- 
cability is unconstrained. This results in a dramatic increase of the search space 
that makes the application of the available technique difficult, if possible at all. 
We avoid this state-explosion problem by considering scenario-based specifica- 
tions that allow one to focus on a small sub-set of the possible sequences of 
events, as explained in Section 5. It would be interesting to adapt the abduction 
techniques in [6, 15] to identify which non- mechanizable facts need to be gener- 
ated for the executability of complex scenarios in which condition (COMP2), 
about the "monotonicity" of the events (Section 5), does not hold. 

The second line of research is related to workflow analysis in presence of 
authorization policies, e.g., [8,28]. On the one hand, such works specify the 
workflow as a partial ordering on tasks that is similar to the causality relation 
introduced here. On the other hand, these works abstract away the data-flow 
so that there is no need to specify compatibility conditions on the causality 
relation (cf. (COMP1) and (COMP2) in Section 5) as we do here because of 
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the modelling of the exchange of messages among principals. Another difference 
is that the specification of authorization policies is reduced to a minimum in [8, 
28] so as to simplify the study of the completion problem, i.e., whether there 
exists at least one assignment of users to tasks that allow for the execution of 
the whole workflow. Instead, we focus on reachability problems and we model, 
besides authorization policies, also trust relationship among principals. It would 
be interesting to study the decidability of the completion problem also in our 
richer framework. 

The third line of research concerns the development of (semi) formal tech- 
niques for the analysis of human interventions. In [10, 27] the authors aim to 
determine how a task is executed by humans and what special factors are in- 
volved to accomplish the goal the task is supposed to achieve. This line of work 
is based on informal methods to identify and analyze human actions in contrast 
to our framework that is based on a logical formalism. In [26] the authors use 
graphs and deterministic finite state automata to model and analyze human 
behaviors in critical systems. Although we share the proposed formal approach 
with them, our framework differs for the capability to analyze systems influenced 
by non predictable human activities, in contrast with those predefined for indus- 
trial material-handling processes. Interesting works in modeling and reasoning 
about human operators are, e.g., [30,13], where the analysis is based on con- 
current game structures, a formalism similar to the ACS we used in Section 3. 
The accurate verification analysis and the decidability result we presented in 
this paper are the major difference that distinguishes our work from their. 
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7 Appendix 



7.1 Formal preliminaries 

We assume some familiarity with the syntactic and semantic notions of first-order 
logic [12] and Constraint Datalog [17]. 

Let E be a signature, i.e., a collection of function and predicate symbols with 
their arities. A E(x) -expression is an expression (a term, an atom, a literal, or 
a formula) built out of the symbols in E where at most the variables in the 
sequence x may occur free. We write E(x) to emphasize that E is a E(x)- 
expression. For two disjoint sequences of variables x and y, we write x,y to 
denote their concatenation. 

A ^-structure M is a sub-structure of a ^-structure Ai iff the domain of M 
is contained in the domain of Ai and the interpretations of the symbols of E in 
M are restrictions of the interpretations of these symbols in Ai. A class CC of 
17- structures is closed under sub- structures iff for every structure Ai G CC, if M 
is a substructure of Ai then M G CC. 

Let E and E' be two signatures such that E C E' . If A4 is a ^'-structure, 
then Ai\u is the reduct of Ai obtained from Ai by forgetting the interpretations 
of the symbols in E' \ E. 

A E -theory T is a set of Z'-formulae, called axioms. A i7-theory T identifies 
a class Mod(T) of ^-structures that are models of all formulae in T. For each 
theory T considered in the paper, we assume that Mod(T) ^ and we then say 
that T is consistent. 

A E- formula (p(x) is T-satisfiable iff there exists a ^-structure Ai G Mod(T), 
also called a E -model, such that Ai \= 3x. ip(x). The satisfiability modulo theory 
T problem, in symbols, SMT(T), consists of establishing the T-satisfiability of 
any quantifier-free i7-formula. 

A i7-theory T is locally finite if E is finite and, for every set of constants 
a, there exist finitely many ground terms t\, ...,tfc oJ called representatives, such 
that for every ground (E U a) -term u, we have T |= u = t{ for some i. If the 
representatives are effectively computable from a and U is computable from u, 
then T is effectively locally finite. A theory T admits quantifier elimination if 
for an arbitrary formula (f(x), possibly containing quantifiers, one can compute 
a T-equivalent quantifier- free formula ip'(x). 

A formula of the Bernays-Schonfinkel- Ramsey (BSR) class is of the form 
3x. My. (p(x, y), where x, y are (disjoint) tuples of variables and (p is a quantifier- 
free formula built out of a signature containing only predicate and constant 
symbols (i.e., no function symbol occurs in (p). Formulae of the BSR class where x 
is empty are called universal, whereas when y is empty they are called existential. 
It is easy to show that any theory whose axioms are universal BSR formulae 
is effectively locally finite. Satisfiability of BSR formulae is well-known to be 
decidable [23]. 

Let T be a i7-theory and R a tuple of predicate symbols not in E. A BSR(T)- 
formula is a formula of the form 3x. \/y. (p(x, y), where (p is a quantifier- free 
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^formula, •= U U R, and U n R = 0. Universal and existential BSR(T)- 
formulae are defined analogously to the corresponding sub-classes of BSR for- 
mulae. A BSR(T)- formula, ip is T-satisfiable iff there exists a ^—-structure A4 
that satisfies ip and whose reduct M\u is in Mod(T). 

Theorem 2 ([24]). Let T be an effectively locally finite £ -theory whose class 
of models is closed under sub- structures, the SMT(T) problem be decidable, and 
R be a finite set of predicate symbols such that Ef]R = 0. Then, the satisfiability 
of BSR(T)- formulae is decidable. 

Let T be a i7-theory. A constraint Datalog rule is a formula of the form 

n 

Vx,y.£(x,y) A /\ Ai(x,y) -> A (x) , 

i=l 

also written as 

A (x) <- Ai(x,y) A • - • A A n {x, y) A y) , 

where Ai is an atom for i = 0, 1, n, £(x,y) is a quantifier- free U(x, y) -formula, 
called the constraint of the rule, and x, y are disjoint tuples of variables; when 
n = 0, the constraint Datalog rule is also called a constraint fact. 

The non- ground Herbrand base of a set LP of constraint Datalog rules is the 
set of constraint facts modulo equality. The non-ground immediate consequences 
operator Slp is defined over a collection of constraint facts F as follows: Slp(F) 
contains all the constraint facts of the form Aq(x) ^— £(x,y) when Aq(x) <(— 
Ai(x, y) A • • • A A n (x, y) A y) is in LP, «— £ • is in F for i = 1, n, and £ 
is logically equivalent (in T) to £J A • • • A where it is implicitly assumed that 
the variables in the rule and those in the constraint facts have been renamed 
so as to make them pairwise disjoint. It is possible to show the existence of the 
least fix-point Ifp(LP) of <Slp, which may be infinite. 

It is sometimes possible to show that lfp(SLp) is finite. Let T admit quantifier- 
elimination. Let ro (#) <— Ar=i r *fe) A (,o(x) be a constraint Datalog rule and 
r i( x -k i ) *~ £>i(%ki) ^ e a constraint fact for & a E(x k ) -quantifier- free formula, k{ 
the arity of r^, and i = l,...,n. A constraint rule application produces m > 
facts of the form ro(x) ^— £j(x) where £J is a quantifier- free i7(x) -formula for 
j = 1, m (m > 0) and Vj=i £j * s equivalent (by the elimination of quantifiers 
in T) to the formula 

n 

3y.(/\Ux ki ) a 
i=i 

where y is the tuple of variables occurring in the body of the rule but not in the 
head. The algorithm to compute the least fix-point of a set of constraint Datalog 
rules is given in Fig. 6. The function constrFP terminates when all derivable new 
facts are implied by previously derived facts so that the least fix-point is reached. 

Theorem 3 ([24]). LetT be an effectively locally finite theory that admits elim- 
ination of quantifiers. Then, constrFP terminates returning a finite set of con- 
straint facts. 
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function constrFP(F, R) 



1 results <(— F; Changed <(— true; 

2 while Changed do 

3 Changed ^— false 

4 foreach rule G -R do 

5 foreach fazp/e of constraint facts constructed from results do 

6 newres <(— constraint facts obtained by constraint rule 

application between r^/e and hzp/e 

7 foreach fact £ newres do 

8 if (results \/= fact) then results <(— results U {/ac£}; 

9 Changed <(— £n/e; 

10 end 

11 end 

12 end 

13 end 

14 return results 



Fig. 6: Least fix-point computation of constraint Datalog rules (adapted 
from [17]): F is a set of constraint facts and R is a set of constraint Datalog 
rules. 



7.2 Proof of Theorem 1 

Proof. By considering Definition 2 in Section 3, let ipi, ip n -i be a sequence 
(possibly containing repetitions) of elements in \P. Since \P is finite, there are 
finitely many sequences of elements of length n. Thus, we can enumerate all 
of such sequences. Since the value of n is given together with the collection 
{Ho, H n -i} of non- mechanizable facts, it is possible to compute the least 
fixed point of the set 1Z n of constraints in (7) by repeatedly invoking the function 
constrFP of Fig. 6 in Section 7.1 as follows. Let 

Ro := constrFP({/(msg ), i^o(uknowso)}, Po(knowso)) 

be the set of constraint facts, generated from the initial state of the system, where 
Po has been obtained from Po by replacing each constraint Datalog rule r with 
the set {ra} a where a ranges over the mappings that associate the variables 
occurring in the body of r but not in the head of r with the constants of sort 
Principal in C, satisfying the (CI) requirement. 

By Theorem 3 in Section 7.1, the invocation to constrFP terminates returning 
the finite set Ro of constraint facts. In fact, both 7(msg ) and i^o(uknowso) 
are constraint facts, Po(knowso) is a set of constraint Datalog rules, and the 
substrate theory Ts satisfy the (C4) requirement. Note that there is no need 
to eliminate quantifiers during a constraint rule application as all the variables 
occurring in the body of a constraint Datalog rule of Po (knowso) occur also in 
its head. We are thus entitled to conclude that Rq and 1Zq defined in (7) are 
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equal (modulo variable renaming). Then, let 

Ri = constrFP({i^i(uknowsi)}, Ef f i(Ro, , 0i(msg o , msg 1 )) 
U Po(knowsi)), where, for i = 0, 

Eff^VKmsg^msg^) = {msg i+1 (?/, z, w) <- Upd i (y,z,w)a \ F U {da} is 
Ts-satisfiable by considering pi,xi, ...,p m ,x m as fresh constants}, 
F := {A o e | (A <- G F} , 

fTpd^ and are obtained from ZTpd and G by replacing msg and u knows with 
msg i and uknows^, respectively. 

Note that Eff^(F, tp) is finite if F is so. Also, the satisfiability of formulae 
over a signature extended with fresh constants is decidable when the satisfiabil- 
ity problem of the theory over its original signature is decidable [29]. 2 Thus, 
since the Ts-satisfiability is decidable by assumption, it is also decidable to 
check whether F U {Ga} is Ts-satisfiable. Hence, we are entitled to conclude 
that Ef f ^(Ro, ^(msgo, msg 1 )) is finite since Ro is so. It is now easy to see that 
constrFP({i^i(uknowsi)},Eff^(R , ^(msg , msg 1 )) U Po(knowsi)) terminates for 
reasons that are similar to those discussed for the computation of Ro- The only 
difference is in the constraint Datalog rules derived from Ef f (Ro, ^(msg , msg 1 )) 
for which it is not difficult to verify that the variables occurring in the body 
also occur in the head; thereby making it unnecessary to eliminate quantifiers 
as for R . Thanks to basic properties of constrFP (see [17]), we can derive that 
Ri is equal (modulo variable renaming) to 1Zi. By a straightforward induction, 
generalizing the previous observations on Ri, it is possible to show that R^ is a 
finite set of constraint facts equal (modulo variable renaming) to 7^, for i > 2. 

We are thus left with the problem of checking the Ts-satisfiability of the (fi- 
nite) set 7Z n for constraint facts, for some n > 0. This can be done as follows. For 
each constraint fact A <— & in lZ ni form the formula <pA by taking the disjunc- 
tion of all <^'s for i > 0. Then, take the disjunction of all the formulae <pA built 
at the previous step and build the quantifier- free formula if. The satisfiability of 
the P5i?(Ts)-formula (p A E is indeed decidable thanks to Theorem 2 in Section 
7.1. This concludes the proof. 

7.3 Main derivation of CRO scenario 

In this section, we illustrate the access control layer underlying (a simplified 
version of) an e-Government application, first described in [2]. We already have 
a description of the CRO case study in the body of the paper (see Section 1.2) 
and here we show, step by step, the derivation process of its main access control 
query knows(CRep, a2i(Ed, cans)). 

2 Note that we can extend the signatures with fresh (Skolem) constants since we 
consider all the classes of models of the substrate theory Ts. The least fix-point 
semantics is used only when considering the constraint Datalog rules specifying the 
policies, not the substrate theory. 
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Helen 




CA 









(a) Informal view of state S3 

(mi) msg(CA, said(a2i(Ed, ise)), Ed) 
(m 2 ) msg(CA, said(a2i(Helen, ish)), Ed) 
(7713) msg(Helen, said(a2i(Ed, cans)), Ed) 



(CI) knows(Ed, s2i(CA, said(a2i(Ed, ise)))) 
(C2) knows(Ed, s2i(CA, said(a2i(Helen, ish)))) 
(C3) knows(Ed, s2i(Helen, said(a2i(Ed, cans)))) 

(b) Certificate passing (first step) 
Fig. 7: CRO certificate passing representation up to state S3 



A scenario of a possible run of the system is illustrated in Fig. 7(a) where, 
in the displayed state, the three certificates (CI), (C2) and (C3) are in Ed's 
possession can be derived from the set of non-mechanizable facts as described in 
Example 2 of Section 2. 2. 3 This is the result of the sending of three messages mi, 
777,2, and 7773 (labeling the arrows in Fig. 7(a)) as a consequence of the threefold 
application of the state-change rule (1). 

After the successful processing of a car registration request, Ed is willing 
to permanently store it in CRep. In order to do this, he should comply to the 
CRep policy that regulates access to its central database. The decision of CRep 
to grant or deny to employees of a CRO the right to store a processed request in 
the database is based on the rules (P1)-(P4) described in Example 3 of Section 
2.3 that we report again, informally, as follows: 

(PI) an employee of a CRO can store documents in the CRep, if the head of the 
CRO permits it. 

Since the application of (PI) is based on valid certificates, further policy reg- 
ulations must specify the trust relationships that allow CRep to validate the 
certificates in its possessions. Such rules are: 

(P2) certificates signed by CA are trusted by anyone, 

3 Some of the details of the figure will be made clear below, e.g., the numbering of the 
states and the fact that we only show the most interesting states of the system. 
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(PS) any certificate signed by CA and countersigned by any principal is trusted as 

one being signed by CA itself, and 
(PA) concerning the certificates about the permission of storing documents, the 

head of a CRO is trusted by anyone. 

In order to satisfy the access policies (P1)-(P4) of CRep, Ed is supposed to 
forward to CRep the certificates in its possession, after signing each one of them. 
We want to remark that we preserve the countersign action as described in the 
original scenario definition in [2]. As widely discussed in [4], the role of CRep is 
not purely passive but can potentially check the digital signatures of principals 
involved. Even if it is not relevant for our purposes in this paper, it is important 
to underline the capability of our formalization to model more complex classes 
of scenarios. After receiving Ed's certificates, CRep should be able to grant him 
the right to store documents in its internal database using all the information 
in its possession. 

We want to define the CRO scenario as an instance of the ACS in Definition 
2. So, we proceed defining each element of the transition system. 

Let Ts the effectively locally finite substrate theory underlying the CRO as 
described in Section 3.1, we take Const p := {Ed, Helen, CRep, CA} and Const a := 
{ise, ish, cans} as the two (countably) sets of constants of sort Principal and 
Attribute to identify the four principals depicted in Fig. 7(a) and the attributes 
of being an employee, being an head and having the right to store a document 
in the database, needed to built the initial certificates. The elements of Const a 
depend on the application we are considering and to characterize this set as 
particular primitive elements (not created by the "function" tdOn) we have to 
add to the set In the following axioms: 



as described in Section 3.1. 

We proceed with our formalization considering the set K of {uknows}-atoms 
and the set M of {msg}-atoms to represent the state of the system according to 
Section 3.2. The initial situation is represented by the three non-mechanizable 
facts (as introduced in the Example 1): 



generated by the (arbitrary) human activities of CA and Helen, in order to put 
into the system the credentials needed to fulfill the established goal. Considering 
the content of the network we define a state to be to be initial if M = {0}. 

Let Po be the set of BSR(Ts )-formulae (1), (2), (3), together with axioms 
described according to Section 3.1 and application-dependent CLP rules (Pl)- 
(P4) of Example 3, where p, q, and r are variables of sort Principal and x is a 



Vx.prim(x) — » x = ise V x = ish V x 
ise 7^ ish A ise ^ cans A ish ^ cans 



= cans and 



(Fl) 
(F2) 
(F3) 



uknows(CA, a2i(Ed, ise)) 
uknows(CA, a2i(Helen, ish)) 
uknows(Helen, a2i(Ed, cans)), 
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Fig. 8: CRO representation of the non-mechanizable facts in the initial state so 

variable of sort Infon. Clauses (P2), (PS) and (P4), stating the trust relationship 
between the various principals, are required to derive the hypotheses of (PI) in 
combination with the use of rule (4), as we will see below. 

We have now all the information to define the CRO case study as an instance 
of the ACS according to Definition 2. 



Let C1ZO = (uknows, msg, /, Po, \P) be the GKO-ACS with substrate theory 
T$, where: 

— knows(CRep, a2i(Ed, cans)) is the goal G that must be satisfied, 

— (PI), (P2), (P3) are the non- mechanizable facts declared above, 

— /(msg) represents the first-order formula describing the initial state, 

— Po is the set of P5P(T ( s-)-formulae according to the definition above, 

— \P is a (finite) set of state-change rules of the form of (6). 

We can now easily describe the execution of the system representing and 
collecting the set St of states, by means of the two predicate symbols uknows 
and msg which model the dynamic part of the access control, unlike the static 
one modeled by the first-order theory Ts previously defined. 

We will write s := K\M for a generic state, to represent the set K U M. 

The initial situation in Fig. 8 (that for convenience we report here again) can 
be formalized by the following initial (symbolic) state: 

s :={(F1),(F2),(F3)}|0. 

Now, applying the rule (2) in Section 2.2 and computing the fixed point by the 
constrFP procedure described in Fig. 6, we derive the following constraint facts: 
knows(CA, a2i(Ed, ise)), knows(CA, a2i(Helen, ish)), and knows(Helen, a2i(Ed, cans)) 

At this point, we are ready to obtain the state 53 depicted in Fig. 7(a) by 
repeatedly applying (three times) the state-change rule (1). Considering the 
grounding substitution o\ := {p H> CA, q H> Ed, x \-> a2i(Ed, ise)}, we have the 
following instance of (1): 

knows(CA, a2i(Ed, ise)) ©msg(CA, said(a2i(Ed, ise)), Ed), 

which is clearly enabled in sq. The application's effect of ^<Ji on the constrained 
facts just calculated in so leads to 

5! := K |{msg(CA,said(a2i(Ed,ise)),Ed)}, 
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(a) Informal view of state S6 

(m 4 ) msg(Ed, said(s2i(CA, said(a2i(Ed, ise)))), CRep) 
(m 5 ) msg(Ed, said(s2i(CA, said(a2i(Helen, ish)))), CRep) 
(me) msg(Ed, said(s2i(Helen, said(a2i(Ed, cans)))), CRep) 



(CA) knows(CRep, s2i(Ed, said(s2i(CA, said(a2i(Ed, ise)))))) 
(C5) knows(CRep, s2i(Ed, said(s2i(CA, said(a2i(Helen, ish)))))) 
(C6) knows(CRep, s2i(Ed, said(s2i(Helen, said(a2i(Ed, cans)))))) 

(b) Certificate passing (second step) 
Fig. 9: CRO certificate passing representation up to state 



where tf = {(Fl), (F2), (F3)}. 

It is not difficult to see that two further applications ^02, ^3 (where 
are suitable ground substitutions) of (1) allow us to obtain state 

{msg(CA, said(a2i(Ed, ise)), Ed), \ 
msg(CA, said(a2i(Helen, ish)), Ed), > , 
msg(Helen, said(a2i(Ed, cans)), Ed), J 

which is the formal counterpart of the configuration depicted in Fig. 7. 

It is also immediate to see that the repetitive application of the function 
constrFP in Fig. 6 to states 52 and 83 generates the following three facts (by 
repeatedly applying clause (3)): 

knows(Ed, s2i(CA, said(a2i(Ed, ise)))) , 
knows(Ed, s2i(CA, said(a2i(Helen, ish)))) , 
knows(Ed, s2i(Helen, said(a2i(Ed, cans)))) 

representing the formal counterpart of certificates (CI), (C2) and (C3) in Fig. 
7(b). 

Applying again the reasoning introduced up to now, these last three facts 
can be used by Ed to counter-sign the certificates and send them to CRep as 
depicted in Fig. 9(a) (by appropriate instances ^04 , ipa^ , ipa^ of rule (1) with 
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^"4,5,6 suitable ground substitutions), thereby deriving the state 

s 6 := K | M 3 U 

msg(Ed, said(s2i(CA, said(a2i(Ed, ise)))), CRep), "| 
msg(Ed, said(s2i(CA, said(a2i(Helen, ish)))), CRep), > , 
msg(Ed, said(s2i(Helen, said(a2i(Ed, cans)))), CRep) J 

which is the formalization of the configuration in Fig. 9, where M3 abbreviates 
the second component of the state 53 above. At the end of each single application 
of the state-change rule (1), the function constrFP returns (by using clause (3)) 
the set of certificates (C4),(C5) and (C6) represented in Fig. 9(b). 

Once the application has reached the state 56, it is possible for CRep to take 
the decision to grant or deny to Ed the permission to store the processed request 
in the database. To this end, we need to validate the certificates that are in pos- 
session of CRep against the chain of trust relationships represented by the Horn 
clauses (P2)-(P4). More specifically, first, we consider the trust relationships 
concerning the certificates about the roles of the principals (CI), (C2) and then 
the certificate about the permission to store documents in the database, (C3). 
Formally, this can be done by using the Horn clause (4) introduced in Section 
2.3. 

In the following, we describe which instances of (4) need to be considered 
and how their hypotheses are discharged. In order to positively answer the query 
G(knows(CRep, a2i(Ed, cans))), we consider the following instance of (PI): 

(G) knows(CRep,a2i(Ed, cans)) <(- knows(CRep, a2i(Helen, ish)) 

A knows(CRep, a2i(Ed, ise)) 

A knows(CRep, s2i(Helen, said(a2i(Ed, cans)))))), 

let us call it (G) (to recall the goal of the reachability analysis problem of Sec- 
tion 3). We have the problem of discharging the three hypotheses of (G), which 
can be grouped in two categories. In fact, the first two concern the roles of the 
principals (in particular, the fact that Ed should be an employee and that Helen 
be the head of the Car Registration Office), while the last is about the permis- 
sion of storing documents in the central repository. We consider each category 
in detail. 



Validation of certificates about the roles of principals Intuitively, we need to 
apply (P3) and (P2) so as to enable CRep to derive the pieces of knowledge 
that Ed is an employee (fact (H3) below) and that Helen is the head of the Car 
Registration Office (fact (HA) below). Indeed, in the derivation, the certificates 
(G4) and (G5) will be used which, in turn, are obtained from (Gl) and (G2) 
via the applications of the state-change rule (1) described above. We begin by 
considering the following instances of (4): 
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(HI) knows(CRep,s2i(CA,said(a2i(Ed, ise)))) <- 

knows(CRep, s2i(Ed, said(s2i(CA, said(a2i(Ed, ise)))))) A 
knows(CRep, a2i(Ed, tdOn(s2i(CA, said(a2i(Ed, ise)))))) 

(H2) knows(CRep,s2i(CA,said(a2i(Helen, ish)))) <- 

knows(CRep, s2i(Ed, said(s2i(CA, said(a2i(Helen, ish)))))) A 
knows(CRep, a2i(Ed, tdOn(s2i(CA, said(a2i(Helen, ish)))))) 

and notice that the first hypotheses are identical to (C4) and (C5) respectively. 
The second hypotheses of the two instances above are identical to the following 
two instances of (PS) knows(CRep, a2i(Ed, td0n(s2i(CA, said(a2i(Ed, ise)))))) and 
knows(CRep, a2i(Ed, td0n(s2i(CA, said(a2i(Helen, ish)))))). So, we are entitled to 
consider the heads of the two instances of (4) above as derived ground facts; let 
us call them (HI) and (H2), respectively. Then, consider two more instances of 
(4): 

(H3) knows(CRep,a2i(Ed,ise)) <- 

knows(CRep, s2i(CA, said(a2i(Ed, ise)))) A 
knows(CRep, a2i(CA, td0n(a2i(Ed, ise)))) 

(H4) knows(CRep,a2i(Helen, ish)) <- 

knows(CRep, s2i(CA, said(a2i(Helen, ish)))) A 
knows(CRep, a2i(CA, td0n(a2i(Helen, ish)))) 

The first hypotheses of these two ground Horn clauses are identical to (HI) 
and (H2) respectively. 

Their second hypotheses are identical to the following two instances of (P2) 
knows(CRep, a2i(CA, td0n(a2i(Ed, ise)))) and knows(CRep, a2i(CA, td0n(a2i(Helen, is 
As a consequence, we can consider the heads of the last two instances of (4) as 
derived ground facts; let us call them (HS) and (H4), respectively. 

Validation of certificates about the permission of storing documents Intuitively, 
we need to apply (-P4) so as to make immediately available to CRep the knowledge 
about the authorization state concerning the fact that Ed is permitted to store 
documents in the central repository by Helen (fact (H6) below). We begin by 
considering the following instance of (P4): 

(if 5) knows(CRep, a2i(Ed, td0n(s2i(Helen, said(a2i(Ed, cans)))))) 
<— knows (CRep, a2i(Helen, ish)). 
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Since the hypothesis of this Horn clause is identical to (H4), we are entitled 
to consider the head of this clause as a derived fact; let us call it (H5). Then, 
consider the following instance of (4): 

(H6) knows(CRep,s2i(Helen,said(a2i(Ed,cans)))) <- 

knows(CRep, s2i(Ed, said (s2i (Helen, said(a2i(Ed, cans)))))) A 
knows(CRep, a2i(Ed, td0n(s2i(Helen, said(a2i(Ed, cans)))))). 

The first hypothesis of the instance is identical to (C6) and the second hypothesis 
is equal to (Hb); thus, we can consider its head as a derived ground fact, let us 
call it (H6). 

Putting things together At this point, it is sufficient to observe that the first 
hypothesis of (G) is (i?4), the second is (i?3), and the last is (H6) so that we 
can consider the head of the rule as a derived ground fact which is precisely the 
query that we were interested to answer, knows(CRep, a2i(Ed, cans)). 

As a final remark, we observe that it is possible to model several scenarios by 
considering alternative ways of distributing the certificates among the principals. 
For example, initially, only the certificate about his role can be sent to Ed, that 
concerning the role of Helen is sent to her, and that about the permission for 
Ed to store documents in the central repository can be sent to CRep directly 
from Helen. Indeed, this changes the way in which we can derive the query of 
interest as certificates are counter-signed by different principals so that trust 
relationships must be chained differently. 

7.4 Dkal implementation for CRO scenario 

In this section, we give a concrete implementation of the proposed CRO sce- 
nario in Section 1.2, by using the DKAL distributed authorization policy lan- 
guage provided by Microsoft Research [21]. The DKAL project page [11] contains 
a downloadable engine (implemented in F#) for running and checking DKAL 
policies. We implemented and successfully tested the scenario proposed in this 
paper, and we give the corresponding code in the following: 



Input specification code 



type Principal = Dkal . Principal 
type Infon = Dkal.Infon 
type Attribute = System. String 
type Evidence = Dkal . Evidence 

relation hasrole(P: Principal, A: Attribute) 
relation haspermission(P : Principal, A: Attribute) 



30 



crep 

//crep's policy 

//rule to learn every justified infon comes from the communication 

with X: Infon, E: Evidence 

upon X [E] 

do learn X [E] 

//(PI) rule 

with P: Principal, Q: Principal, R: Principal, 
E: Evidence, El: Evidence, E2: Evidence 
if hasrole(P, ish) [E] 
if hasrole(Q, ise) [El] 

if R said haspermission(Q , cans) [E2] 
do once send to ed: haspermission(P , "ok ed, u can write!") 

//(P2) rule 

with P: Principal, X: Infon, E: Evidence 
upon theca said X [E] 
do learn X 

//(P3) rule 

with P: Principal, X: Infon, E: Evidence 
upon P said theca said X [E] 
do learn theca said X 

//(P4) rule 

with P: Principal, Q: Principal, R: Principal, E: Evidence, El: Evidence 
if hasrole(P, ish) [E] 

learn hasrole(P, ish) -> Q said P said hasrole(R, ise) [El] 
//ed's policy 

with P: Principal, Q: Principal, R: Principal, A: Attribute, E: Evidence, X: Infon 

upon X -> R said haspermission(P, A) [E] 

do once send to crep: Me said haspermission(Me , A) [E] 

with Q: Principal, R: Principal, A: Attribute, E: Evidence, X: Infon 
upon Q said hasrole(R, A) [E] 

do once say with justification to crep: Q said hasrole(R, A) [E] 

theca 

//thecals policy 

// internal knowledge about roles of principals 

substrate xml ("<roleAssignments> 
<roleAssignment id^ed' role^ise' /> 
<roleAssignment id^helen' role^is]!' /> 
</roleAssignments>") 
namespaces "roleAssignments" 
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with P: Principal, PI: Principal, A: Attribute, Al: Attribute 

if asInfon({| "roleAssignments" I "//roleAssignment [@role =:> ise'] /@id" I P |}) && 
asInfon({| "roleAssignments" I "//roleAssignment [@id= ' ed ; ] /@role" I A |}) && 
asInfon({| "roleAssignments" I "//roleAssignment [Qrole^ ish'] /@id" I PI |}) && 
asInfon({| "roleAssignments" I "//roleAssignment [@id= 'helen'] /@role" I Al |}) 
do say with justification to P: hasrole(P, A) 
say with justification to P: hasrole(Pl, Al) 

helen 

//helen' s policy 

// internal knowledge about permissions of principals 

substrate xml ("<permissionAssignments> 
<permissionAssignment id^ed' perrn^ cans' /> 
</permissionAssignments>") 
namespaces "permissionAssignments" 

with P: Principal, A: Attribute 

if asInfon({| "permissionAssignments" I "//permissionAssignment [@perm=' cans '] /@id" I P |}) && 
asInfon({| "permissionAssignments" I "//permissionAssignment [@id=' ed'] /@perm" I A |}) 
do send with justification to P: 

// delegation to Ed to say haspermission condition must be entailed by Ed's 
// infostrate 

with Q: Principal, Al: Attribute 

Q said haspermission(Q , Al) -> Me said haspermission(P, A) 



Output specification code 



» From theca to ed: 

theca said hasrole(ed, "ise") [ signed by theca 1693769001 ] && 
theca said hasrole (helen, "ish") [ signed by theca 1939556616 ] 

» From helen to ed: 

with Q: Dkal . Principal , Al: System. String 
Q said haspermission(Q, Al) -> 
helen said haspermission(ed, "cans") 
[ signed by helen -973755704 ] 

» From ed to crep: 

ed said haspermission(ed, "cans") [ signed by helen -973755704 ] && 
ed said theca said hasrole(ed, "ise") [ signed by theca 1693769001 ] 

[ signed by ed -855343925 ] && 
ed said theca said hasrole (helen, "ish") [ signed by theca 1939556616 ] 

[ signed by ed -14984535 ] 

» From crep to ed 
ok ed, u can write! 

Fixed-point reached 
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